Slashdot Mirror
MS Employee Calls for No More Passwords
BobPaul writes "On his blog, Robert Hensing of the Microsoft PSS Security Team makes a really convincing argument for the abolishment of complicated passwords. He argues that precomputed hash tables, network sniffing, and programs like LoftCrack make passwords obsolete and dangerous in the windows environment. What does he recommend in their place? Passphrases: sentences and quotes that are easy to remember but may be more than 30 or 40 characters in length. With many companies requiring frequent password changes, (and we know exactly where that leads) this is a simple idea I'm surprised more people haven't been doing this more often."
something you have, something you are, something you know
Biometric authentication can't be changed. I can change a password, but I can't change my fingerprints.
This won't solve the problem of possible data interception when talking about remote
authentication--but every form of authentication is prone to such attacks when transmitted.
No it isn't, because if you use a salted hash (chosen by the server), you can't just replay the traffic.
Once someone gets a copy of your fingerprint or retina, your credit card is comprimised for life. You can't change you biometrics, which is why they are a total joke.
Even the non-lazy wouldn't be happy about long passphrases. At work, I lock my screen whenever I leave the desk, and the password protected screen saver timeout is 5 minutes in case I forget. Would I be willing to do this if I had to type out 40 characters to get back into my machine? Hell no, I'd get a Homer-Simpson-like pecking bird to keep the keyboard active while I'm gone, resulting in less security. Although I understand what this guy is saying, the idea of super long pass phrases is a non-starter in any real world environment.
1) it's just as easy (give or take the odd case where you're just able to sample a few bytes) to sniff a passphrase as a password
2) if most people's passphrases are made of dictionary words take from their active vocabularies, dictionary attacks are still very possible. If we figure a typical vocabulary of 25000 words and a six-word phase, hmmm, some quick math indicates we're in the range of a 14-character random alphanumeric+punctunation password -- not too bad. (Especially if you grant people bigger vocabularies....) But, suddenly, we're open to language-based attacks -- there's probably thesis project in here for someone to come up with good algorithms to narrow down the required attack dictionary.
Why would I want to do it so complicated? I can record the binary data representing your fingerprint and use that. Replay attacks have been around for ages.
I only need a physical representation of your biometric data if one assumes that the system with Analog to Digital Converters and all won't be compromised. What a silly idea. Every security system which is based on control over the equipment failes sooner or later.
subject - verb - object
(I like pizza).
Here's another:
adverb/adjective - object - verb
(Mean people suck).
The trick is finding the most common 3 word phrases (in English) and applying the basic grammatical rules you learned in school.
That guy didn't understand that passphrases/passwords are covered in cryptology under "authentication".
And any student of cryptology can tell you that PATTERNS are the problem.
With passphrases, there are too many GRAMMATICAL RULES and PATTERNS that make it simple to crack.
He focuses solely on the number of characters and never looks at how someone else would approach this to crack it.
Great, now what happens when I need to log into a remote server? I currently live in Colorado and have access to machines in Wisconsin and Alberta, and the great security of fingerprint biometrics aside, my arms just aren't that long. And if that remote machine will accept data from a reader at my own machine, well, that reader is vulnerable to tampering and outside their control, and we're back where we started.
At some point, we HAVE to realize that we just can't have some type of perfect security. Like a real safe or vault, someone determined enough to get in WILL get in. However, the better the security, the more chance that you will catch them in the act and prevent it, or deter the would-be attacker in the first place. This is the true goal of security.
Biometric security measures, in my opinion, would be too intrusive and unwieldy for use at the desktop level. If I want to let my friend Bob use my machine, I can give him my password, but I cannot hand him my retina. Of course, for ultrasensitive applications (bank vaults, national security information, nuclear power facilities) it would be an excellent alternative to the current cards and such which can be stolen.
As to the passphrase idea, it's not -terribly- hard to remember multiple phrases. And you don't need a different one for each site you visit-four or five different ones are sufficient for most people. And it's a lot harder for a would-be cracker to guess that your passphrase is "My daughter threw cake at the dog on her second birthday" then it is to look up your kid's date of birth.
To fight the war on terror, stop being afraid.
I've helped implement a biometric system for time-keeping. I've also worked in very, very secure environments.
There are two definite (and related) advantages to biometric systems.
One -- the bar to "unauthorized use of credentials" is raised to a higher level. Which, to a large degree, is what all security is about. If ${large organization of nefarious intent} wants my data, they have the means to get it. Biometrics helps weed out the less well-funded and well-motivated people. It's like me using one-time passwords for SSH access. No, it doesn't prevent someone from entering my house and installing a tiny hardware key-logger in my PC, but it does stop all of those clowns running dictionary attacks.
With biometrics, people can't just rummage around a desk looking for the password post-it. They (as in your case) have to arrange for greasy finger-print covered glasses and scotch tape. Not insurmountable, just a bit more difficult.
Two -- any kind of remotely plausible deniability in the event of a breach is gone. ("Uh, I don't know how it happened. I just happened to have a jelly mold of this guy's fingerprint..."). Unauthorized access to a biometrically controlled system is pretty solid primae faciae evidence that Evil Deeds[TM] are afoot.
Yes, there are problems with biometric authorization. Irrevocability being a very large one. Almost all of the people complaining about biometrics being ineffective -- and almost all of the people touting them as *the* solution to all security problems -- are forgetting one thing.
Security is about the whole organizational process. Total security is enhanced or diminished by the particular method of authentication that you use -- and poor authentication can undermine a lot of the rest of the system. Hackable authentication does not automatically invalidate the rest of the security process. 100% provable authentication does not automatically mean that your system is 100% secure.
Let's look at the example of an anonymous FTP server. There's no authentication. None. However, any sensible person would be running it read-only. It would be jailed or chrooted. IP addresses would be logged for auditing purposes. The partition that the ftp server is serving data from could be mounted noexec. Blah, blah, blah, etc, etc, etc. Here's a case where zero authentication does not mean zero security.
People often talk about biometrics in the context of some theoretical, non-existent system where there is no other security other than this one, initial biometric authentication...and the whole system is either "secure" or "insecure" based on the authentication. Which is just garbage.
Even in the simplest case -- biometric time-keeping -- there are other checks in the system.
Let's assume that worker A and worker B have colluded to provide each other with false handprints. We'll leave out such annoying real-world problems like, "Hey, Bob, why are you clocking in with that jelly-filled hand-on-a-stick ?" and assume that worker A and worker B can at any time just clock in and clock out as each other without anyone noticing.
OK, at the end of the week, Manager M gets a payroll report. Manager M gives it a cursory glance. Uber-manager N gets the same report, and gives it an even more cursory glance. Let's not even talk about Director O -- we know that it's just sitting in her in-box with all of the other reports.
HR Flunkie T runs the weekly "check for discrepancies between scheduled shifts and actual time worked" and sends those to Manager, Uber-Manager and Director. Manager M fires an email back saying, "Hey, no problem." Or perhaps the email says, "Hey, worker A is showing up as having no discrepancies -- I distinctly remember that he was thirty minutes late on Tuesday".
Every month, Auditor X takes a brief look at all of the discrepancies between last month and today and all of the explanations for them. Auditor X looks for any suspicious or unusual patterns -- and the absenc
Suppose you are just walking in the streets when someone suddenly shoves a camera to your face and takes a picture. The flashlight blinds you momentarily, so you can't pursue him. He disappears into the crowd with a picture of your retinas in his camera.
What are you going to do ? The picture contains all the data he needs to log into online services as you. You cannot change the password, since you don't have any. In theory, you might be able to burn a distinguishing pattern into your retina with a laser - but, of course, that will negatively impact your vision.
So yes, that's exactly what will happen. Someone will steal your retina (or rather, copy the biometric info that is used to authenticate you) and then all your accounts are 0wned for ever and ever.
Not to mention the privacy concerns - I wouldn't want every online service to be able to link my identity to my real one, would you ?
Biometric identification is an extremely bad idea that will hopefully die the silent death it deserves.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Using passphrases does not add much more entropy, although they may be easier to remember. They are still prone to sniffing, 40chars can easily be packed in a single ethernet frame. Could some one tell Microsoft to use encrypted connections?
Users hate passwords, they hate typing them, and they hate having to remember things. They will always opt for whatever is easy. They will hate you if you set a lower limit of 30 characters, and their passphrase was 28.
Passwords or passphrases - same thing - will be chosen easy the more obstacles you place on the users: Requiring users to change password every three months will leave your systems less secure:
Users will choose easier passwords, and/or they will rotate just two different passwords. No security gained.
Further, in the race with a bruteforce attack, nothing is gained unless you change your password to one that has been tried.
In stead, as the administrator you have a head start in the race with the crackers. Go password cracking and require users to change their password when it has been cracked.
If password is cracked too quickly it should be followed by disiplinary actions as a compromise of security. Ofcourse the users must be informed beforehand of such proceedures.
Just my 5euro-cent contribution...